
An-tviuinv^nis so tho chmn^ (Ibis i)sn«g je]Haocs all pisoT vi;i&u>u.s}. 

I . t currently aiiieTided) A method comprising: 
deiectmg possible ssciirity problems at client locations; 

iir.n^:r:t l noiii.,. oi iho -f^-.s^'il^So sc.urstv probk-ms across a network in real umelo a 
hone locution rcTivo^, locarui iroiv tl.t. c'seiu kx'^tiOi)s; 

detomjirung, ai Vu<^ hone loc;itton, <u> anomai\ di ono or i.>i0ic of-ho obtut kvati.ris 
basc^d on an analysis ofat km the possible secuiity ftroblen^ s at two or n^oro of th e client 
location:^, in which t|ie anomaly is nol ap parent from analyzing the possibio secMt y^fifobjem or 
pro blems at only one of the ciient locations : and 

iran.-!nn!tirtg notice of ihe anomaly in real time to the client Iocati*)ns at which the 



2. (original) The method of claim 1 further comprising tran&mhting noiie« of tlie 
anomaly in real tistic to other client locations that may communicate with tlie home location o%cr 
ihe network. 

3. {cancelled) 

4. (original) The ihetliod of claim 1 futther compdsiiig injecting a packet thai 
aTiyes at the clieiit location to detect the possible security: problem. 



private netwoyks. 

6;. loriginall The method of claim i iti which the anomaly imludfes BnatithorixM 
access to the network. 





7. (original) Hie tnethod of claim 1 in which the anomaly includes miauthoriied 
access of a resoiircc accessible through the netAvorfc 
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^ o u iu\ he hod s '"cl mn 1 n vvhkh tb. <xi ot« <i x. p t uJ > inatitlkMi t... us,t. 
OT resources avaslatjle through the networs- 

^ ^ 5 ji V ^ 1 \{ u{ L coinpn ng 

t» luici jiv-i^auabk 5.ic<Ju«r coiitairii machine i^xecata')tt imtruCvUsu'v mo 
insmiciions causing a machine to: 

detect, possible seeunty pmblems at client iocauotts; 

t ^ >5' U(r5cc v'>f the possible an ■> j lo ■}\cvt.i> ac'0">. & xictv <ea' t ire a 
■sc^src Ov-atiUu ^ ^ Km \ x lo 

vc v'-*) u, <* .h(, ho*i c KKw*ion, an .i'lmialv at ono oi jik a ^ ^ ^.^t, ^' s u u wi s 
T ^sv'ct on ai? an<?lvsis ol <i* ^e. 5st the possible security problem*? at iy> o or more of tlic cjxon 
k i xiwns^ m woich the aiiomah not <ippaicnt f rom anaj>/mg the possibl e {>ccurjn piohic ir or 
i}K!hit»-j-^ a .>\ ere of i'e cheat locations , and 

' > i M t !0i %i\ m reai time to the client locations <:4 whwb the 

' iOx5g in i, * hv aii i-iv. Ol ^lajm 9 fulht-r c<iUs-nig <* nai,' if c to lai ^ others, c 
l! c anon^ah m I time other chent locations that may commamcatc with th^ home iocatso'i 
over the T^etworK 



ii'^pc^* a pa^,Kct vhat aiT*>e{> ^; tnc client location to detect the poss'bk ^ccuntx. p^^blcm 



!. <.vM i h<. art cic of t.la m v ir \\ «f^t> * 

►lightlK netjftt^ Kcoirpii itv 




S;.oc:nbc; {>, 2001 



Ationiey's Dockcs No.: i'.)>.'i9 -k,>3iR;S PiOS 'f- 



] -L {original) The ariicic of claim 9 m which the sinomasy includes Uiiaulhori/cd 
access to the network. 

15. (origii-sal) The asticic o C claini 9 in which the anomaly includes unauthodsjed 
access of;-; resource accessible ihrougb the nct\^'ork, 

16. (oviginai) The ailicle of claim 9 iti which tiie imonuily includes unauihoi izcd use 
of resources avaiiafele throagh the tieiwork, 

1 7. icurreiitly amended) A method, comprising: 

at a hon^e location in a network, receiving from at least two remote clients indications of 
possible security problems at the clients; agd 

detennirJra; in re;i i tisYJc, at the home location, an existence of an anomaly at 4^H-l«ast 
4-vv4> OiiOi>LliK-i"-^^>!j ;'enu>ie clients based oti an ami lysis of a t least the indicaiions of the 
possible securny problems ai iwo or TrK)re of the remo te cUenis. in w hich the anofnaly is iiot 
apparent fro m analyzing the indica tion. or/indkatixO|is securi ty probje?u or probiems.at 

o nly oae of the remote e lients?-««d 





18. (oiirrently amended) Ths method of ciaiis 1 7 fmlm comprising u-ansmitting 
sioiice of the existence of the anomaly in real time from the home location to the remote cH.enls 



9 {^vKr'<.n)l> an- ended) ■n?t method of ckim 17 furthct compnsmg tiansmittuiic 
^ I K is V V. rrtH^-^r4^^ ^ ihe .^on\ii> ir "c.vUir.v r on" the home locatjon toother 
re .1 tv J_ui_.. ' f ^ ath r-^ th.v riu> tommumcaie w ith the lu^rse location qvlt the netwotk 





mlom alior iron the home locdtion to the remote c hems ck t ;Rl loc-iUf>»s to 'lelp tht remote 
csjcti_5.>.f <-^f> d * ists set uiitv problems 

i_ f e ig^nal) 1 ho irtcihod o> ciaim 1 7 further ^.ou pns ug Otlen n u*g viiv v\i itenee of 
the * no}\<* TifeOvl at least information icganJmg previous arom^icfe 

23-27. (esacdled) 

28, (cun'entH'- tsmeiidsd) An apparatus comprising; 
E server; 

fiibt n echaii'sm avc^^ssibie b> th«. server to detcimme an a^iomaly at [fiwo| oiio or 
Ttiorc ci'oms K»se 1 > * K st infoimatu-^n kxnn [hhii]] two oi more of the c lients r^ganlmf.'' 
po&tsjhL sCv .it 1- c ■'iO'! ^^iliiJbicM::^* TQiMb ^ot appaient rrj^r i tn c^S/m.j mc possible 

VI second nucffl \isr^ jv^te^ijiWo b\ ^he scnci vo trarsuiu uone^ o* me anon&.\ i*' iCvil 
time over a aetwork to tlie chcBtsi-afid : 

29, {prii\ x>usl% p»csetitcd) The apparatus of claim 28 m wkclj the irsi mu'h^imsn. 
aetemiuies tise anomaly basea on at least mfomiatiOB regardmg previously detemiinsd 
aiiomais«s> 

30, fciiirently amended) A system comprising; 
two or more client terminals; 

Ibr each ofthe client terminals, 

a ilrst client mechanism accessible by the client terminal to detect a possible 
security problem at the dmnt tenriinal, 

a second client mechanism accessible by the client tei'minal to transmit notice of 
ihe possible security probleit^ across a network in real time to a server renK>t.eiy located from the 



chefu femiinal, and 

a third client mechanism accessible by the client lemiinal to receive updates from 
ihe server in real lirne regarding security problems that the Srst client meclianism may use in 
deteciing possible security problems; 



or nio^c i>lfe?*H Ogjinoniim^^^ o,; loasi ipJoiinjsion from iht; t^x u or njore <L-Uei^is ojjctu 

U^iT-\r;.i<.V.':'.'"<-\^^ii "'i^^o possjbk" ATurti y )?ruliicnis , in vvhich tiie a?mia ly is noi apparcii^ 
i^»#yr^vsg . 0'!<-^i^) fon7j^ security problem or problems at o nly one of the 

rem ote clie nt tgnBinals : md 

a second server mechanisTn accessible by the server to iransmh notice of the ajionialy in 
real tinie c^ er ihe neiwork to the cJient tentiinals at which the possible security problems arc 
deieeiedr-a?^ 





3 1 . (original) I'ho system of claim 30 in which the fmi client mechj.nisni is also 
cr,nujiured to fKu'$ftor paokcts -Jiat arrive at the client tcfininai for xbj possibk' <;cc'ritj problem, 

32. (origiriai) liio sjysleni of claim 30 in which ihe tlrst scrsc! Jiiccha lisni is also 
con figured to determine the anomaly based on at least information regarding previously 
determined anomalies. 

33. v^riginal) The ^system of claim 30 in which ihe second server mechanism is also 
eoniigurecl to transmit notice of the anomaly in real lime to other client locations that may 
eoTiiniunicate with the server over the network, 

34. (previously presented) The system of claim 30 fuxtber comprising fn ewalls 
located between tlie client terminals and the server and conftgnred to act as an intermediary for 
inlbrmaiion tlovi-ing between the client tcmiinals and the server. 



a first sc-vcr -ncclva-^SiK ac>:.-s' t\. ^> dcUTinine an anosnrdx at 





35. (previously presented) "The systetn of claim 34 in which at least one of the 
lirewalis includes a coiporate server. 
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4; ; (0, if! CTU ly nTUCudcd ) A ractbod cojnpnsing; 

.serx o^ rcctjivnig from at least two remote clients mdicadoiis «f possible seciidiy 
problems at the- cUmts: 

determining in real time, at the sender, an existence of an aiwnialy based on the 
isniirats-ips of -1;c pi-^^ihic socuritj rroblenis ihmi ihc :U 1oa?t rcnioie client s, in which the 
.yioni.'ih ;s n--i appaiciU rroniau.iijiZr-Jg i.hPPP^j^ibiv^ !>ecuriis piohkm or pT-cbku-jg at oniy one of 
the remo ie chenis: and 

.sonciuig 55! 5e<ii Lime, from the iicrser to the remote ci^eni?, mlbrmation for isp<iaiing 
firewalls protecting the remote cHents to account for the anomaly. 

41, i ciin\?otly ajnended) A method comprising: 

dotcciing [[a]j possible security pn?b!ems problea?! at [|a]| two or moix ? clit'ut ]oc.iU.SO§ 

transiniiting notice of the possible stH^urity firobjemipf^fe^ across a network in real 
time to a honie location remotely located from tiie client bcationsjoeatioft; 

J. .V 'i,',!,. ; .,1 r . ' i; l-K.uson. ixti anomalv at one or mcre.of .'he clie'U loeaLious 
lvni-tj-tH>H ba;=cd Oil tbc po^ciihk- sccunjy problcins probte^Ti by searching tor panicular inforination 
in the aiiomaly, tlie particular infonnation including at least one of a network address previously 
noted as a security problem and a particnlar query or command associated with a knoun 
inimsion patten? or lechniquc , in which the anomaly is « Qt apparent from^^^^^^ the possible 

secuniy prohk^'s --J" pie bL\'- i S at onh^ one of die clien t locations: and 

inuu-n^tun;:; rjoiicc ofthv.- anomaly in real time to the client iocaiir>-L-> loc-tHfOH. 

42. (previously presented) A method comprising; 
deteeiing a possible security problem at a client location; 

transmitting notice of the possible security problem across a net-\^ork in real time to a 
home location remotely located irom the client iocatioti; 

detenniuing at the hon^c location an aiiomaly by at least comparing the possible security 
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1 V »^ h i V Ti'j ion { K>ush iO'«a1 at she nois .o<.ai ^ u liJvK sc. v. i io 
successsii! i Diit imsxpscted logs n ; ana 

waxibn n.m d iioticc ot the nonialv m ical time to Ihe client ocai'on 

43. (caBceiiea) 

44. (cancelled) 

45. (ctjn:e«tly amended) The apparatxis of claim 28, further comprismg al least one of 
a buniai^ imnuuie mechanism to collect information on userS j a eompkx -ky^itee^y-ffleeliaft^sB^ 
ciu^i-e dr?di>ef K>j-!n •■it;v.^*pk^^^ a?HHHriiy 4Ft>H<-k; 35x1 'd flngcfprmtHig mechanism to check 
and siQix names ;)i;J addrcs^e.- associated wnh bccurits problems. 

46. (previously presenied) The apparatus of claim 28, Itirther comprising a wide view 
n^echanisni to collect and maintain infom-satton rega^-ding anomalies reported to tiie server by the 
clients. 

4"^. ; v ■\ p.ouniol s Hic ;:ppa";iU!s of claim 28, further comprising a statistics 
nieclsanisn-s lo coii-puic and store records ofanomalies. 

48, (previously presented) The metliod of claim 40, further comprising at least one of 
collecting information on usens by using a human immune nitechanismrete¥i»t^*^4~p«i4<m¥M#tg 
e0»\p^leK"aiH^ysis o^«*©mal-y-1a--eji^-l>>^^Hd^^^ and checking and 

storing najnes and addresses associated wuh security profaierns by using a ilngerprinting 
mechanism. 



49, (preyiou$ly presentetl) The raethod of efaim 4G, fiirther compnsing computing 
atid storing records ofanomalies by usitig a statistics mechanism. 
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5?), (previously presented ) The nieihod of claim 4 1 , fmher compn&ing updalitsg, m 
rcai lime, a firewall protectiiig ibc ciieni location to account for the anomaiy, 

51 . (pf eviousi y presented) The method of claim 42, further comprlskg ypdatiag, iij 
real time, a ilrewa31 protecting the client; tocatiqn to accoimt for the ajiomalj'. 

52. (currently amen<fe# Tho ihjefcod of eiaim 42, in which searching for m a 
saccgs&ful biit n nexpected login comprises searchihg for at least one of a login at an imexpected 
hour, a logjii iroth p unexpected locationj and a ipgiiiiram ai> uiie5^^^ tiser. 

53. (new) The apparatns of claim 2S, further comprising a complexit y theory 
mechanism to store and peflbrtij eomplex Malysis of anom 



